You would notice that rights octal representation is coded with powers of 2. This is a common way to represent bunch two-states settings that can be independently toggled. Indeed, a file does not properly have a list of permissions set, you should see this rather as a a bit string (where a 1 at the position i means ON and a 0 means OFF for the right coded 2i).

File permissions are thus represented with nine bits. The three most significant representing the owner rights and the three least significant representing others rights. For instance, a typical file permission is 640 which means The owner can read an write, the group have a read-only access, and other can't even read it.

Alter permissions meaning

There is actually three more bits that allow you to alter the meaning of other permissions

Subject

Right (Oct. repr.)

Name

Description

File

s/S (4)

Setuid bit

Enables to execute the underlying file in the name of the owner. This means that if you are allowed to execute this file (ie. have x right) and the file is owned by simon, it will be executed as if you were simon (namely, with his rights). A typical file using setuid is /usr/bin/sudo.

s/S (2)

Setgid bit

Same as the setuid bit but granting group permissions instead of owner's ones.

t/T (1)

Sticky bit

Prevent the underlying file to be flushed from memory after execution. Quite limited interest nowadays though.

Directory

s/S (4)

Setuid bit

No effect

s/S (2)

Setgid bit

Causes any later file or sub-directory created within this directory to have the same group as the underlying directory instead of the creator's group by default. Moreover, later sub-directories would inherit the setgid bit.

t/T (1)

Sticky bit

Denies any user but the directory owner to remove a file from this directory. Of course, note that this does not prevent any user with write privilege on a file to truncate it.

The notation of the setuid bit (s/S), the setgit bit (s/S) and the sticky bit (t/T) overwrites the notation of the execution permission (x) of respectively the owner, the group and the others. Lowercase means x is set. Uppercase means x is not set.

For instance, in this sample, -rws--x--T is equivalent to the following octal value 5710 (where 5 means setuid+sticky).

Going further

As you would have notice, this does not provide a fine-grained way to manage permissions, but this is quite light, simple, and sufficient for most usages. However, if you think you need a really fine-grained level, you should consider looking at Access_Control_List or SELinux.

Manage user and groups

Users, and Groups are named, and numbered. the lower the number the more permissions the account has. For example root user has the number 0, and root group has the number 0. To display this information:

Change owner and group of file

You can change owner and group of a file with chown.

# chown <user>:<group> <file>

You can change owner of a directory and children recursively with:

# chown -R <user>:<group> <folder>

Security

Generally you will want to have restrictive yet functional permissions. 777 on everything is a bad idea, especially files containing plain text passwords. 600 is common for files like this, with a high level user. mediawiki's LocalSettings.php has database passwords. A good method to lock this down is to change its permissions to 600, and set the file owner as the webserver's user.

Can I have write permission on a file while not being allowed to read it?